Facebook Dating, the company's in-app dating feature, launched in the US last year and is currently available in 20 countries around the world. The service draws upon data in your existing Facebook account to let you quickly create a dating profile, and you can also integrate photos from your Instagram account. You can then choose to match with potential dates among your friends of friends or opt to meet people completely outside of your network of friends. 

Facebook Dating was initially set to be available to European users on February 13, the day before Valentine's Day. However, the unveiling of social network’s new service has since been delayed to an unknown date after Ireland’s data protection regulator- Data Protection Commission, raised concerns about Facebook Dating's compliance to General Data Protection Regulation[1](GDPR) in the European Union, The Wall Street Journal reports.[2]

          Under EU rules, companies have to conduct a data protection impact assessment (DPIA) before launching a product or service that could impact their customers’ data. In order to enhance compliance with the GDPR where processing operations are likely to result in a high risk to the rights and freedoms of natural persons, the controller should be responsible for the carrying-out of a data protection impact assessment to evaluate, in particular, the origin, nature, particularity and severity of that risk. The outcome of the assessment should be taken into account when determining the appropriate measures to be taken in order to demonstrate that the processing of personal data complies with this Regulation. Where a data-protection impact assessment indicates that processing operations involve a high risk which the controller cannot mitigate by appropriate measures in terms of available technology and costs of implementation, a consultation of the supervisory authority should take place prior to the processing.

           Informing data protection authorities before launching a new service that would entail processing of huge amount of personal data is not new. Directive 95/46/EC provided for a general obligation to notify the processing of personal data to the supervisory authorities. While that obligation produced administrative and financial burdens, it did not in all cases contribute to improving the protection of personal data. Such indiscriminate general notification obligations therefore were abolished by the GDPR and replaced by effective procedures and mechanisms which focus instead on those types of processing operations which are likely to result in a high risk to the rights and freedoms of natural persons by virtue of their nature, scope, context and purposes. Such types of processing operations may be those which in, particular, involve using new technologies, or are of a new kind and where no data protection impact assessment has been carried out before by the controller, or where they become necessary in the light of the time that has elapsed since the initial processing.[3]

           DPIA should be carried out by the controller, in this case Facebook, prior to the processing, i.e. launching of new feature, in order to assess the particular likelihood and severity of the high risk, taking into account the nature, scope, context and purposes of the processing and the sources of the risk. That impact assessment should include, in particular, the measures, safeguards and mechanisms envisaged for mitigating that risk, ensuring the protection of personal data and demonstrating compliance with the GDPR.

           This should in particular apply to large-scale processing operations which aim to process a considerable amount of personal data at regional, national or supranational level and which could affect a large number of data subjects and which are likely to result in a high risk, for example, on account of their sensitivity, where in accordance with the achieved state of technological knowledge a new technology is used on a large scale as well as to other processing operations which result in a high risk to the rights and freedoms of data subjects, in particular where those operations render it more difficult for data subjects to exercise their rights.

          According to Article 35 of GDPR,” Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks. (Paragraph 1)

           DPIA referred above shall in particular be required in the case of: (a) a systematic and extensive evaluation of personal aspects relating to natural persons which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person; (b) processing on a large scale of special categories of data referred to in Article 9(1), or of personal data relating to criminal convictions and offences referred to in Article 10; or (c) a systematic monitoring of a publicly accessible area on a large scale.(paragraph 3 of Article 35, GDPR)

DPIA shall contain at least the following aspects:

1. a systematic description of the envisaged processing operations and the purposes of the processing, including, where applicable, the legitimate interest pursued by the controller[4];
2. an assessment of the necessity and proportionality of the processing operations in relation to the purposes;
3. (c) an assessment of the risks to the rights and freedoms of data subjects referred to in paragraph 1; and
4. (d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with the GDPR taking into account the rights and legitimate interests of data subjects and other persons concerned.

           Ireland’s Data Protection Commission said that Facebook had intended to launch Facebook Dating today, the day before Valentine’s Day, but said that it was “very concerned” to have learned about it so late. Facebook says it informed the regulator about the launch on February 3rd.Prior consultation with the competent data protection authority is obligatory according to article 36 of the GDPR whose provisions are, mutatis mutandis, written below:

1. The controller shall consult the supervisory authority prior to processing where a data protection impact assessment under Article 35 indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk.

2. Where the supervisory authority is of the opinion that the intended processing referred to in paragraph 1 would infringe the provisions of GDPR, in particular where the controller has insufficiently identified or mitigated the risk, the supervisory authority shall, within period of up to eight weeks of receipt of the request for consultation, provide written advice to the controller and, where applicable to the processor[5], and may use any of its powers referred to in Article 58(of GDPR, Titled: Powers) That period may be extended by six weeks, taking into account the complexity of the intended processing. The supervisory authority shall inform the controller and, where applicable, the processor, of any such extension within one month of receipt of the request for consultation together with the reasons for the delay. Those periods may be suspended until the supervisory authority has obtained information it has requested for the purposes of the consultation.

3. When consulting the supervisory authority pursuant to paragraph 1, the controller shall provide the supervisory authority with:

                (a) where applicable, the respective responsibilities of the controller, joint controllers and processors 

        involved in   the processing, in particular for processing within a group of undertakings;

                 (b) the purposes and means of the intended processing;

                 (c) the measures and safeguards provided to protect the rights and freedoms of data subjects pursuant to 

        this Regulation; 

                 (d) where applicable, the contact details of the data protection officer;

                 (e) the data protection impact assessment provided for in Article 35; and 

                 (f) any other information requested by the supervisory authority.

         As it is explained above, GDPR require a prior consultation period with the relevant data protection authority that can take up to eight weeks.

          In a statement given to the WSJ, Facebook said that it is “taking a bit more time to make sure the product is ready for the European market.” It added that it has “worked carefully to create strong privacy safeguards, and have shared this information with the IDPC ahead of the European roll out.” Facebook says it completed the required data privacy assessment and shared it with the regulator when asked.[6] 

          Bad luck for Europeans who are still searching for the “One”. Looks like Facebook won’t have a Valentine’s Day date for you just yet.

[1]Regulation (EU) 2016/679 of The European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) 4.5.2016 L 119/54 Official Journal of the European Union.

[2]https://www.wsj.com/articles/stood-up-facebook-keeps-europe-waiting-over-dating-feature-11581519771

[3] GDPR, Resital 89.

[4]‘Controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law. (Article 4.7, GDPR)

[5]Processor’ means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller. (Article 4.7, GDPR)

[6]https://www.theverge.com/2020/2/13/21136012/facebook-dating-european-launch-delayed-data-protection-gdpr